ssh radius authentication as a client for Linux

Because I had a radius server ready with a group and secret present, was more easy for me if I can acomplish to have some linux machines to authenticate clients via the same radius server. Looks like it was not that easy that I was thinking. I tried multiple options like this and this but I failed.

Digging online, I found a solution and a workaround and I think it make sense to share this here. A very old unsupported application shared a way how to authenticate using a radius server (freeradius as a example).

It is possible to authenticate using the Radius Authentication protocol by a Radius server.
Make sure you install the following PAM to RADIUS authentication module that should be available in any debian/ubuntu distribution. It allows any Linux, OSX or Solaris machine to become a RADIUS client for authentication and password change requests. You will need to supply your own RADIUS server to perform the actual authentication.

apt-get install libpam-radius-auth

I would love to see another module available as a package but unfortunately needs to be clone and compile. ibnss_ato module is a set of C library extensions which allows to map every nss request for unknown user to a single predefined user. Basically is used to map your RADIUS authenticated users onto a locally provisioned user.

To do that you need to clone the github repository, make sure you have git installed or you can install it with:

apt-get install git

Then you can do this:

~# git clone
Cloning into 'libnss-ato'...
remote: Enumerating objects: 164, done.
remote: Total 164 (delta 0), reused 0 (delta 0), pack-reused 164
Receiving objects: 100% (164/164), 31.91 KiB | 1.28 MiB/s, done.
Resolving deltas: 100% (78/78), done.
~# cd libnss-ato/
~# make
gcc   -fPIC -Wall -shared -o -Wl,-soname, libnss_ato.c
make gcc     libnss_ato_test.c   -o libnss_ato_test
~# make install
# remeber  /lib/ ->
/usr/bin/install -m 644 ""/lib/
/usr/bin/install -m 644 libnss-ato.3 ""/usr/share/man/man3
cd ""/lib && ln -fs

Add radius and secret to the configuration file:

nano /etc/pam_radius_auth.conf

Make sure you remove all other servers and at the end add the radius servers. If you have only one, just add only one.                secret_key_for_the_first 5                secret_key_for_the_second 5

Create a file configuration for libnss-ato:

nano /etc/libnss-ato.conf

and paste this:


The PAM configuration file for the sshd and login processes are found at /etc/pam.d/sshd and /etc/pam.d/login respectively.
Add this line on the top of both files:

auth sufficient

The NSS configuration file is found at /etc/nsswitch.conf. The top three entries in this file will look as follows:

passwd:   compat ato
group:    compat
shadow:   compat ato

To test if authentication works, open another session and from cli run:

tail -f /var/log/auth.log

After you are logged in using your radius account, you ca run:


This has been tested on a Raspberry Pi 4 using:

~# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION="11 (bullseye)"

2 comments On ssh radius authentication as a client for Linux

  • Hi M-r Paulierco. Your article helped me set up 2fa client, without libnss-ato module I had to create a local account for each AD user.
    Thank you very much – now everything works fine. But still one question remain: now I must enter password and OTP key together, I want first enter my account password and after that I want the system ask me to enter OTP key. May be you know what changes must be done in PAM files?

  • Hi, thank you for writing this up. We use this for managing access to a fleet of Debian servers without having to maintain local user accounts.

    You mentioned it would be great to see this as a package instead of clone and compile. In my case, I didn’t mind compiling once, but I wanted a deb package to distribute to all the servers. This is how I create the deb:
    sudo apt update && sudo apt install build-essential debhelper
    git clone
    cd libnss-ato
    sed -i ‘/DH_COMPAT.*/d’ debian/rules
    fakeroot debian/rules binary

Leave a reply:

Your email address will not be published.

Site Footer